Introduction
Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that attempts to automate most (if not all) of the required steps. Currently, the entire process of obtaining and installing a certificate is fully automated on both Apache and Nginx.
In this tutorial, you will use Certbot to obtain a free SSL certificate for Nginx on Ubuntu 20.04 and set up your certificate to renew automatically.
This tutorial will use a separate Nginx server configuration file instead of the default file. We recommend creating new Nginx server block files for each domain because it helps to avoid common mistakes and maintains the default files as a fallback configuration.
Prerequisites
To follow this tutorial, you will need:
One Ubuntu 20.04 server set up by following this initial server setup for Ubuntu 20.04 tutorial, including a sudo-enabled non-root user and a firewall.
A registered domain name. This tutorial will use
example.comthroughout. You can purchase a domain name from Namecheap, get one for free with Freenom, or use the domain registrar of your choice.Both of the following DNS records set up for your server. If you are using DigitalOcean, please see our DNS documentation for details on how to add them.
- An A record with
example.compointing to your server’s public IP address. - An A record with
www.example.compointing to your server’s public IP address.
- An A record with
Nginx installed by following How To Install Nginx on Ubuntu 20.04. Be sure that you have a server block for your domain. This tutorial will use
/etc/nginx/sites-available/example.comas an example.
Step 1 — Installing Certbot
The first step to using Let’s Encrypt to obtain an SSL certificate is to install the Certbot software on your server.
Install Certbot and it’s Nginx plugin with apt:
- sudo apt install certbot python3-certbot-nginx
Certbot is now ready to use, but in order for it to automatically configure SSL for Nginx, we need to verify some of Nginx’s configuration.
Step 2 — Confirming Nginx’s Configuration
Certbot needs to be able to find the correct server block in your Nginx configuration for it to be able to automatically configure SSL. Specifically, it does this by looking for a server_name directive that matches the domain you request a certificate for.
If you followed the server block set up step in the Nginx installation tutorial, you should have a server block for your domain at /etc/nginx/sites-available/example.com with the server_name directive already set appropriately.
To check, open the configuration file for your domain using nano or your favorite text editor:
- sudo nano /etc/nginx/sites-available/example.com
Find the existing server_name line. It should look like this:
/etc/nginx/sites-available/example.com
...server_name example.com www.example.com;...If it does, exit your editor and move on to the next step.
If it doesn’t, update it to match. Then save the file, quit your editor, and verify the syntax of your configuration edits:
- sudo nginx -t
If you get an error, reopen the server block file and check for any typos or missing characters. Once your configuration file’s syntax is correct, reload Nginx to load the new configuration:
- sudo systemctl reload nginx
Certbot can now find the correct server block and update it automatically.
Next, let’s update the firewall to allow HTTPS traffic.
Step 3 — Allowing HTTPS Through the Firewall
If you have the ufw firewall enabled, as recommended by the prerequisite guides, you’ll need to adjust the settings to allow for HTTPS traffic. Luckily, Nginx registers a few profiles with ufw upon installation.
You can see the current setting by typing:
- sudo ufw status
It will probably look like this, meaning that only HTTP traffic is allowed to the web server:
Output
Status: activeTo Action From-- ------ ----OpenSSH ALLOW Anywhere Nginx HTTP ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Nginx HTTP (v6) ALLOW Anywhere (v6)To additionally let in HTTPS traffic, allow the Nginx Full profile and delete the redundant Nginx HTTP profile allowance:
- sudo ufw allow 'Nginx Full'
- sudo ufw delete allow 'Nginx HTTP'
Your status should now look like this:
- sudo ufw status
Output
Status: activeTo Action From-- ------ ----OpenSSH ALLOW AnywhereNginx Full ALLOW AnywhereOpenSSH (v6) ALLOW Anywhere (v6)Nginx Full (v6) ALLOW Anywhere (v6)Next, let’s run Certbot and fetch our certificates.
Step 4 — Obtaining an SSL Certificate
Certbot provides a variety of ways to obtain SSL certificates through plugins. The Nginx plugin will take care of reconfiguring Nginx and reloading the config whenever necessary. To use this plugin, type the following:
- sudo certbot --nginx -d example.com -d www.example.com
This runs certbot with the --nginx plugin, using -d to specify the domain names we’d like the certificate to be valid for.
If this is your first time running certbot, you will be prompted to enter an email address and agree to the terms of service. After doing so, certbot will communicate with the Let’s Encrypt server, then run a challenge to verify that you control the domain you’re requesting a certificate for.
If that’s successful, certbot will ask how you’d like to configure your HTTPS settings.
Output
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1: No redirect - Make no further changes to the webserver configuration.2: Redirect - Make all requests redirect to secure HTTPS access. Choose this fornew sites, or if you're confident your site works on HTTPS. You can undo thischange by editing your web server's configuration.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Select the appropriate number [1-2] then [enter] (press 'c' to cancel):Select your choice then hit ENTER. The configuration will be updated, and Nginx will reload to pick up the new settings. certbot will wrap up with a message telling you the process was successful and where your certificates are stored:
Output
(Video) How to Setup Let's Encrypt SSL with NGINX server: Hands-on!IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2020-08-18. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-leYour certificates are downloaded, installed, and loaded. Try reloading your website using https:// and notice your browser’s security indicator. It should indicate that the site is properly secured, usually with a lock icon. If you test your server using the SSL Labs Server Test, it will get an A grade.
Let’s finish by testing the renewal process.
Step 5 — Verifying Certbot Auto-Renewal
Let’s Encrypt’s certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. The certbot package we installed takes care of this for us by adding a systemd timer that will run twice a day and automatically renew any certificate that’s within thirty days of expiration.
You can query the status of the timer with systemctl:
- sudo systemctl status certbot.timer
Output
● certbot.timer - Run certbot twice daily Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled) Active: active (waiting) since Mon 2020-05-04 20:04:36 UTC; 2 weeks 1 days ago Trigger: Thu 2020-05-21 05:22:32 UTC; 9h left Triggers: ● certbot.serviceTo test the renewal process, you can do a dry run with certbot:
- sudo certbot renew --dry-run
If you see no errors, you’re all set. When necessary, Certbot will renew your certificates and reload Nginx to pick up the changes. If the automated renewal process ever fails, Let’s Encrypt will send a message to the email you specified, warning you when your certificate is about to expire.
Conclusion
In this tutorial, you installed the Let’s Encrypt client certbot, downloaded SSL certificates for your domain, configured Nginx to use these certificates, and set up automatic certificate renewal. If you have further questions about using Certbot, the official documentation is a good place to start.
FAQs
How do I install let encrypt SSL certificate on Ubuntu Nginx? ›
The first step to using Let's Encrypt to obtain an SSL certificate is to install the Certbot software on your server. Install Certbot and it's Nginx plugin with apt : sudo apt install certbot python3-certbot-nginx.
How do you secure Apache with Let's encrypt on Ubuntu 20? ›- Step 1: Install Apache2 Web Server. ...
- Step 2: Installing Certbot. ...
- Step 3: Checking your Apache Virtual Host Configuration. ...
- Step 4: Allowing HTTPS Through the Firewall. ...
- Step 5: Obtaining an SSL Certificate. ...
- Step 6: Verifying Certbot Auto-Renewal.
- Disable Unused Nginx Modules. ...
- Disable the Display of Nginx Version Number. ...
- Set Client Buffer Size Limitations. ...
- Disable Unnecessary HTTP Methods. ...
- Disable TRACE and TRACK. ...
- Install the ModSecurity Module. ...
- Configure Nginx to Include an X-Frame-Options Header.
Nginx Redirect all HTTP traffic to HTTPS
Here is a breakdown of the commands: Listen 80 : This instructs the system to catch all HTTP traffic on Port 80. Server_name _; : This will match any hostname. Return 301 : This tells the browser (and search engines) that this is a permanent redirect.
- Install Certbot in Ubuntu 20.04. Install Certbot in Ubuntu with PIP. Install Certbot in Ubuntu with snapd.
- Create an SSL Certificate with Certbot. SSL Maintenance and Troubleshooting. SSL Improvements.
To enable HTTPS on your website, you need to get a certificate (a type of file) from a Certificate Authority (CA). Let's Encrypt is a CA. In order to get a certificate for your website's domain from Let's Encrypt, you have to demonstrate control over the domain.
How do I enable encryption in Ubuntu? ›- Step 1: Download Ubuntu 22.04 ISO. ...
- Step 2: Create a Bootable Ubuntu USB Drive. ...
- Step 3: Start Ubuntu Installation Using USB Drive. ...
- Step 4: Create a New GPT Partition. ...
- Step 5: Create a New Partition for Installation. ...
- Step 6: Encrypting Boot and OS Partition. ...
- Step 7: Format Partitions.
- Open the terminal application.
- Login to Nginx server using the ssh command.
- Edit nginx.conf file or virtual domain config file.
- Set TLS version by editing ssl_protocols TLSv1.2;
- For TLS version 1.3 by add ssl_protocols TLSv1.3;
The default location to install certificates is /etc/ssl/certs . This enables multiple services to use the same certificate without overly complicated file permissions. For applications that can be configured to use a CA certificate, you should also copy the /etc/ssl/certs/cacert.
How do I enable HTTPS on Ubuntu Server? ›- Prerequisites.
- Step 1: Log in via SSH and Update Packages.
- Step 2: Enable Mod SSL.
- Step 3: Create a Self-Signed SSL Certificate.
- Step 4: Enable HTTPS and Install an SSL Certificate.
How can I make Ubuntu 20.04 more secure? ›
- Change the default SSH port.
- Install and setup ufw.
- Generate keygen.
- Only allow login with keygen.
- Install and setup fail2ban.
- Setup two factor authentication.
- Step 1: Install the Certbot. ...
- Step 2: Enable and Configure the firewall. ...
- Step 3: Get the Let's Encrypt SSL certificate. ...
- Step 4: Verify the Certbot service status. ...
- Step 5: Perform a dry run.
On Linux systems, the . pem files are located in these directories: For Let's Encrypt extension - /usr/local/psa/var/modules/letsencrypt/etc/archive/example.com/ .
Is NGINX secure by default? ›nginx's core codebase (memory management, socket handling, etc) is very secure and stable, though vulnerabilities in the main binary itself do pop up from time to time. For this reason it's very important to keep nginx up-to-date.
What is the most secure Linux server? ›- Qubes OS. Qubes OS is one of the most secure Linux distros available. ...
- Whonix. Whonix is based on the Debian GNU/Linux to offer outstanding security and advanced level privacy. ...
- Tails (The Amnesic Incognito Live System) ...
- Kali Linux. ...
- Parrot Security OS. ...
- BlackArch Linux. ...
- IprediaOS. ...
- Discreete.
However, if the specified index files are not in the directory, Nginx will return 403 forbidden error. One way to resolve this issue is to add the index file specified in the configuration file or add the available index file to the config file.
How do I enable force SSL? ›- Log in to cPanel.
- Once in cPanel, on the right-hand side, you can see the domain validated certificate in place for your particular domain.
- Click on Domains under the Domains section.
- Switch the little toggle that says Force HTTPS Redirect from Off to On.
Why should you use Force HTTPS on your website? Using HTTPS instead of HTTP means that communications between your browser and a website is encrypted via the use of an SSL (Secure Socket Layer). Even if your website doesn't handle sensitive data, it's a good idea to make sure your website loads securely over HTTPS.
How do I enable HTTPS on Linux? ›- Make sure that the ssl. conf file is present under $CPITBASE/3rd_party/apache2/etc/httpd/conf. d. ...
- Make sure that the mod_ssl.so file is present under $CPITBASE/3rd_party/apache2/etc/httpd/modules. If not, then copy it from the /etc/httpd/modules path.
Let's Encrypt is a new Certificate Authority (CA) that offers FREE SSL certificates that are just as secure as paid certificates.
Is Let's encrypt secure enough? ›
The answer is that yes, Let's Encrypt is a free and secure option if you need an SSL certificate for your website. In fact, the whole point of Let's Encrypt is giving the public free access to more security for their websites without making money from them.
Can I use LetsEncrypt with IP address? ›Let's Encrypt doesn't issue certificates for IP addresses. ZeroSSL does, it was fairly straightforward to get a free one through their website when I tried many months ago. I'm not sure whether they make it available via their ACME integration though.
Is LetsEncrypt TLS or SSL? ›Let's Encrypt is a global Certificate Authority (CA). We let people and organizations around the world obtain, renew, and manage SSL/TLS certificates. Our certificates can be used by websites to enable secure HTTPS connections.
Is LetsEncrypt SSL free? ›Let's Encrypt is a free, automated, and open certificate authority (CA). Yes, that's right: SSL/TLS certificates for free.
What ports need to be open for LetsEncrypt? ›If you want to use http validation, inbound port 80 and a working webserver is required. If that webserver redirects to https, then inbound https is required. If you use dns validation, no incoming port 80 / 443 is required.
Should I enable encryption Ubuntu? ›The best way to keep your Ubuntu 22.04 system and files completely secure in the case of theft is to enable full disk encryption. This way, if your device is stolen or someone is sitting at your desk and trying to boot into your PC, they will need to know your password in order to mount any partitions.
Does Ubuntu encrypt by default? ›Ubuntu Core 20 and 22 use full disk encryption (FDE) whenever the hardware allows, protecting both the confidentiality and integrity of a device's data when there's physical access to a device, or after a device has been lost or stolen.
How do I enable disk encryption in Ubuntu 20.04 after installation? ›- Step 1: Install Encryption Packages. ...
- Step 2: Create Another User and Assign Sudo Privileges. ...
- Step 3: Encrypt the Home Directory. ...
- Step 4: Confirm Encryption and Record Passphrase. ...
- Step 5: Encrypt the Swap Space.
You should use openssl s_client, and the option you are looking for is -tls1_2. If you get the certificate chain and the handshake you know the system in question supports TLS 1.2. If you see don't see the certificate chain, and something similar to "handshake error" you know it does not support TLS 1.2.
How do I enable TLS 1.2 on Ubuntu server? ›Go to Webmin > Servers > Apache Webserver > Existing virtual hosts tab > YOUR_VIRTUAL_SERVER:443 > SSL Options > SSL protocols > Tick TLS v1. 0, 1.1, 1.2, 1.3 and Untick SSLv2 and SSLv3.
Is TLS 1.2 automatically enabled? ›
TLS 1.2 is automatically enabled in Google Chrome version 29 or greater.
How do I trust a certificate in Ubuntu? ›- To add: Copy your CA to dir /usr/local/share/ca-certificates/ Use command: sudo cp foo. crt /usr/local/share/ca-certificates/foo. crt. Update the CA store: sudo update-ca-certificates.
- To remove: Remove your CA. Update the CA store: sudo update-ca-certificates --fresh.
- In the command line, enter openssl s_client -connect <hostname> : <port> . This opens an SSL connection to the specified hostname and port and prints the SSL certificate.
- Check the availability of the domain from the connection results.
- The first and foremost step is to upload the certificate and important key files. ...
- Login to Server. ...
- Give Root Password.
- One can see /etc/httpd/conf/ssl.crt in the following step. ...
- Next move key file also to /etc/httpd/conf/ssl.crt.
- Log into the cPanel account for your domain. cPanel account for your domain.
- Click Domains.
- Ensure Force HTTPS redirect is enabled.
- That's it! Your website should be automatically redirected to https.
- Go to File Manager in your hosting panel and open . htaccess inside the public_html folder. If you can't locate it, make sure to create or unhide it.
- Save the changes.
Under Install and Manage SSL for your site (HTTPS), click Manage SSL Sites. Scroll down to the Install an SSL Website and click Browse Certificates. Select the certificate that you want to activate and click Use Certificate. This will auto-fill the fields for the certificate.
Is Ubuntu 20.04 LTS secure? ›Being an LTS release, Ubuntu Server 20.04 comes with five years of support by default. However, the ESM service extends security updates for an additional five years. This results in a super stable platform for both infrastructure and applications deployment that is optimised for enterprise needs.
Does Ubuntu 20.04 use Nftables? ›nftables is now the default in Debian 10, Ubuntu 20.04, RHEL 8, SUSE 15 and Fedora 32.
Does Ubuntu 20.04 support secure boot? ›Ubuntu 20.04 supports UEFI firmware and can boot on PCs with secure boot enabled. So, you can install Ubuntu 20.04 on UEFI systems and Legacy BIOS systems without any problems.
How do I manually generate Letsencrypt certificate? ›
- Step 1: Install the Lego client. ...
- Step 2: Generate a Let's Encrypt certificate for your domain. ...
- Step 3: Configure the Web server to use the Let's Encrypt certificate. ...
- Step 4: Test the configuration. ...
- Step 5: Renew the Let's Encrypt certificate.
- Login to your website's cPanel.
- Go to the Security Option.
- Find the Let's Encrypt option or Secure Hosting option and click it.
- Select your Domain Name and fill other options such as email address if asked.
- Click Install or Add Now option.
Let's Encrypt has a “root certificate” called ISRG Root X1. Modern browsers and devices trust the Let's Encrypt certificate installed on your website because they include ISRG Root X1 in their list of root certificates.
How do you secure Nginx with LetsEncrypt? ›- Prerequisites.
- Step 1 — Installing Certbot.
- Step 2 — Confirming Nginx's Configuration.
- Step 3 — Allowing HTTPS Through the Firewall.
- Step 4 — Obtaining an SSL Certificate.
- Step 5 — Verifying Certbot Auto-Renewal.
- Conclusion.
Let's Encrypt is now trusted by all major certificates, paving the way forward for more widespread encryption on the Web.
How do I get SSL certificate from LetsEncrypt? ›...
To get a free SSL/TLS certificate from Let's Encrypt:
- Go to Websites & Domains > Let's Encrypt.
- Specify the email address that will be used for urgent notices and lost key recovery.
- Step 1: Install Certbot.
- Step 2: Check Nginx Configuration.
- Step 3: Adjust Firewall to Allow HTTPS Traffic.
- Step 4: Obtain the SSL/TLS Certificate.
- Step 5: Enable Automatic Certificate Renewal.
- Prerequisites.
- Step 1 — Installing Certbot.
- Step 2 — Confirming Nginx's Configuration.
- Step 3 — Allowing HTTPS Through the Firewall.
- Step 4 — Obtaining an SSL Certificate.
- Step 5 — Verifying Certbot Auto-Renewal.
- Conclusion.
nginx is built to be stable and secure, but it will only be as secure as the user who configures it. Once nginx is built and installed, configuring the server to be as minimal as possible is important.
How do you secure nginx with Let's encrypt on CentOS? ›- 1 Install the required software.
- 2 Installing acme.sh Let's Encrypt client.
- 3 Create acme-challenge directory.
- 4 Create dhparams.pem file.
- 5 Obtain a certificate for domain.
- 6 Configure Nginx.
- 7 Install certificate.
- 8 Firewall configuration.
Is Let's encrypt TLS or SSL? ›
Let's Encrypt is a global Certificate Authority (CA). We let people and organizations around the world obtain, renew, and manage SSL/TLS certificates. Our certificates can be used by websites to enable secure HTTPS connections.
How do you install let's encrypt SSL certificate on Ubuntu? ›- Install Certbot in Ubuntu 20.04. Install Certbot in Ubuntu with PIP. Install Certbot in Ubuntu with snapd.
- Create an SSL Certificate with Certbot. SSL Maintenance and Troubleshooting. SSL Improvements.
(NGINX itself is written in C and does not use Java or any Java‑based libraries so was unaffected by the Log4j vulnerabilities…)
How do I enable TLS on nginx? ›- Open the terminal application.
- Login to Nginx server using the ssh command.
- Edit nginx.conf file or virtual domain config file.
- Set TLS version by editing ssl_protocols TLSv1.2;
- For TLS version 1.3 by add ssl_protocols TLSv1.3;
It's simple – There's no payment, no validation emails, and certificates renew automatically. It's secure – Let's Encrypt serves as a platform for implementing modern security techniques and best practices.
Is Let's encrypt secure enough? ›The answer is that yes, Let's Encrypt is a free and secure option if you need an SSL certificate for your website. In fact, the whole point of Let's Encrypt is giving the public free access to more security for their websites without making money from them.
What is the most secure Linux server? ›- Qubes OS. Qubes OS is one of the most secure Linux distros available. ...
- Whonix. Whonix is based on the Debian GNU/Linux to offer outstanding security and advanced level privacy. ...
- Tails (The Amnesic Incognito Live System) ...
- Kali Linux. ...
- Parrot Security OS. ...
- BlackArch Linux. ...
- IprediaOS. ...
- Discreete.
Ubuntu is configured to be secure by default. A fresh installation of Ubuntu Desktop does not open up any network ports that could be abused by an attacker, and has a firewall already enabled.
Is NGINX a Russian company? ›Nginx Inc. was founded in July 2011 by Sysoev and Maxim Konovalov to provide commercial products and support for the software. The company's principal place of business is San Francisco, California, while legally incorporated in British Virgin Islands.
How do I add a free SSL certificate to nginx? ›- Step 1 - Login to your server via SSH. ...
- Step 2 - Create Virtual Host. ...
- Step 3 - Configure the NGINX Configuration file. ...
- Step 4 - Unlink the default NGINX Configuration File. ...
- Step 5 - Link our new config file. ...
- Step 6 - Test configuration error.
Why not use Let's Encrypt? ›
It doesn't mean you can use it safely. As a further concern, little protection preventing distributors of malware from making use of Let's Encrypt exists. Malware distributors have already taken advantage of this. For example, around 15,000 certificates have been issued to phishing sites containing 'PayPal' as a term.
Does Nginx use SSL? ›The directives ssl_protocols and ssl_ciphers can be used to limit connections to include only the strong versions and ciphers of SSL/TLS. By default nginx uses “ ssl_protocols TLSv1 TLSv1.